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WHAT IS CLAIMED IS: 




1. In a computer system, a method comprising; 
receiving information indicative of a possible change to a 
protected file; and 

determining whether the cha^nge is valid by verifying the 
file, and if not valid, prevent/ing the change, 
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2. The method of clainv 1 wherein receiving information 
indicative of a possible change includes receiving notification 
indicative of a change to a/protected file. 
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3, The method of claim 1 wherein receiving information 
indicative of a possible ohange includes receiving notification 
of a change to a file, an<k accessing information to determine 
whether the file is protected. 
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4 . The method of claim 1 wherein preventing the change 
includes overwriting a cpanged copy of the file with a valid 
copy of the protected file. 

5. The method ofl claim 1 wherein preventing the change 
includes discarding change data. 
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6. The method of claim 1 wherein determining whether the 
change is valid by verifying the/ file includes obtaining 
cryptographic hash information of the changed file and 
comparing the cryptographic hash information against 
cryptographic hash information associated with the protected 
file. 

7, The method of claim 6 wherein comparing the 
cryptographic hash informanion includes accessing a catalog of 
information for protected itiles. 
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8. The method of cfl.aim 1 wherein determining whether the 
change is valid includes/ determining whether the file includes 
a signature. 

9. The method o:^ claim 1 further comprising, monitoring 
files in a file system/. 
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10. The method of claim 1 wherein preventing the change 
includes copying a valid copy of the protected file to a former 
location of the protected file. 



11 . The metho 
of the protected fi 
25 identity as the pre 



of claim 10 wherein copying a valid copy 
le includes finding a file having the same 
tected file. 
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12. The method of claim 11 whterein finding the file 
having the same identity as the prybtected file includes 
accessing a cache. 

5 

13. The method of claim li further comprising verifying 
the file having the same identity. 

14. The method of claiiry 11 wherein finding the file 
10 having the same identity as phe protected file includes 

accessing a network. 
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15. The method of claim 14 further comprising verifying 
the file having the same ifdentity. 

16. The method of alaim 15 wherein finding the file 
having the same identity/ as the protected file includes 
accessing a recorded meciium. 

17. The method ofl claim 16 further comprising verifying 
the file having the same identity. 



18 . The method o 
includes discarding 
25 component. 



f claim 1 wherein preventing the change 
cljange data and returning a success to a 
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19. The method of claim 1 further comprising receiving 
information indicating that a protect^ed file is about to be 
changed, preserving a copy of the protected file, and wherein 

5 preventing the change includes ovewriting a changed copy of 
the file with a copy of the protected file that was preserved, 

20. A computer-readable mepium having computer-executable 
instructions, comprising : 

10 (1) selecting a plurality /of files as protected files; 

(2) receiving information/ indicative of a possible change 
to a protected file; 

(3) determining whether the file is an exception case, and 

(a) if an exception case, allowing the change, or 
15 (b) if not an exception case, determining whether the 

change is valid by veriifying the file, and 

(i) if valici, allowing the change; and 

(ii) if not valid, preventing the change. 
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21. The computer-readable medium of claim 20 wherein 



receiving information indi 
receiving notification ind 
file. 



cative of a possible change includes 
Lcative of a change to a protected 
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22. The computer-readable medium of claim 20 wherein 
receiving information indicative/ of a possible change includes 
receiving notification of a change to a file, and accessing 
information to determine whether the file is protected. 



23. The computer-readabl/e medium of claim 20 wherein 
preventing the change includes overwriting a changed copy of 



the file with a valid copy of 



the protected file. 



10 24. The computer-readable medium of claim 20 wherein 

preventing the change includes discarding change data. 
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25. The computer-readable medium of claim 20 further 
comprising returning information indicative of a success. 

26. The computer-readable medium of claim 20 wherein 
allowing the change includes writing data saved via a copy-on- 
write process to the file. 

27. The computer-readable medium of claim 20 wherein 
determining whether the fille is an exception case includes 
checking a security descriptor of the file. 
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28. The computer-readable medium of claim 20 further 
comprising providing a prompt before allowing a change. 



29. The computer-readable meaium of claim 20 wherein 
determining whether the change is/ valid includes obtaining 
cryptographic hash information or the changed file, and 
comparing the cryptographic hash information against 

5 cryptographic hash information associated with the protected 
file. 

30. The computer-readable medium of claim 20 wherein 
determining whether the change is valid includes determining 

10 whether the file includes a signature. 



31. A computer systeiry, comprising, 
a protected file, 

a detection mechanisri configured to determine when the 
15 protected file may be changed, 

a verification mechanism; and 

a file protection service, the file protection service 
configured to receive a /determination from the detection 
mechanism that the protected file may be changed, and further 
20 configured to communicate with the verification mechanism to 
verify whether the change is valid, and to prevent the change 
when the change is not valid. 

32. The computer! system of claim 31 wherein the detection 

25 mechanism includes a mechanism for monitoring at least one 

directory for changes |to at least one file therein. 
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33. The computer system of /claim 31 wherein the detection 
mechanism provides a notification to the file protection 
service as the determination mephanism that the protected file 
may be changed. 
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34. The computer system/ of claim 31 wherein the file 
protection service accesses a data structure to determine 
whether the notification recfeived from the detection mechanism 
corresponds to a protected /feile, 
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35, The computer sys/tem of claim 31 wherein the file 
protection service is incorporated into a file system. 



36. The computer system of claim 31 wherein the file 
protection service prevents the change by discarding changed 
data . 
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37. The computer /system of claim 36 wherein the file 
protection service returns information indicative of a success. 

38. The computer! system of claim 31 wherein the 
verification mechanism verifies whether the change to a file is 



valid by comparing a 
against a cryptograph 



ryptographic hash of the file contents 
LC hash associated with a valid file. 
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39. The computer system otf claim 38 wherein the 
cryptographic hash associated with a valid file is maintained 
in a data structure including/a cryptographic hash of the 
contents of at least one other protected file. 
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40, The computer system of claim 31 wherein the file 
protection service prevent^ the change by copying valid data 
over changed data. 

41. The computer sy/stem of claim 40 wherein the file 
protection service locates valid data in a system cache. 
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42. The computer system of claim 40 wherein the file 
protection service locates valid data at a network share. 



43. The computer / system of claim 40 wherein the file 
protection service locates valid data in a recorded medium. 

20 44. The computer system of claim 40 wherein the file 

protection service locates valid data in a preserved location. 



45. The computer system of claim 31 further comprising a 

scanning mechanism fior causing a plurality of files to trigger 
25 the detection mechan|ism. 
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